Easy End to MT Comment Spam

by John Pasden

19 Jul 2004

When I first started getting comment spam, I thought I could delete it manually. I didn’t realize how much I already had. When hours of manual deletions weren’t enough, I googled “comment spam” and found MT Blacklist. It’s a brilliant plug-in that allows MovableType users to deny comments from known spammers as well as easily delete from the database existing comments posted by spammers.

This is all well and good, but it depends on the blogger regularly updating his spammer definitions and then running MT Blacklist to remove newly posted spam. It’s certainly way better than deleting it all manually, but it’s far from automatic at this point, and it’s still a big pain.

I was quite pleased then, to discover another, simpler solution, which when used in conjunction with MT Blacklist should keep your Movable Type blog pretty much spamless:

…Spammers have automated scripts that look for Moveable Type blog sites and they then post to our comments using a direct call to the “mt-comments.cgi” script. If you installed Moveable Type into the default directory (/mt) then they know exactly where the script is and how to call it.

The solution is simple: rename the script to some odd name (ex. qwerty.cgi) and edit your mt.cfg to point to the renamed CGI script. Look for the line that is commented out and reads “# CommentScript mt-comments.cgi”. Uncomment the line and change the name of the script to the new name. You need to rebuild the site before it takes effect. Users will not be able to post comments while you are doing this but the entire process only takes a few minutes.

I made this modification about three weeks ago and have not had a single comment spam since then. [source]

Don’t forget to rebuild! Your comments won’t work until you do.

Granted, this is not a permanent solution, but it has drastically reduced my own comment spam, and I’ll take the break from comment spam as long as I can have it!

What about a script that, when run as a daily (or semi-daily) cron job (assuming you have access to your own cron on your host), changes the script name randomly (could be just about anything, so long as it was changed automatically in both places) and rebuilds the site (using the MT-Rebuild script). That way even if the spammer scanned the site and added it to the list of sites to spam it would only be a valid script for a little while at which point he’d have to rescan.

As it’s been pointed out, the spammers will develop scripts to glean the comments script filename so this won’t hold up forever.

I got my introduction to automated porn spam over the weekend. I logged in and found over 1000 spam comments, and subsequently discovered that MT had no good method of deleting the crapload. Since then, I’ve also installed Jay Allen’s Blacklist plugin.